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Abstract 


The  2009  Quadrennial  Roles  and  Missions  Review  Report  states  -experienee  from 
reeent  operations  and  global  eyberspaee  ineidents  underseore  the  eritieal  role  eyberspaee 
eapabilities  play  in  preventing  eonfliet  when  possible,  and  supporting  full-speetrum  military 
operations  when  neeessary. .  .Our  national  seeurity  is  inextrieably  linked  to  the  eyberspaee 
domain,  where  eonfliet  is  not  limited  by  geography  or  time.”^  The  standup  of  United  States 
Cyber  Command  in  September  2009  was  a  milestone  in  eyberspaee  eommand  and  eontrol 
(C2).  However,  the  DOD  eontinues  to  struggle  in  developing  the  proper  doetrine, 
organizations,  and  proeesses  to  exeeute  the  eyberspaee  mission  aeross  the  range  of  military 
operations.  Current  doetrine  has  not  kept  paee  with  the  teehnological  and  intellectual 
advancements  of  cyberspace.  Using  a  cyber  scenario  as  a  backdrop,  this  paper  examines 
some  of  the  complex  challenges  operational  commanders  face  concerning  cyberspace  C2.  It 
discusses  current  doctrine  disconnects.  Computer  Network  Operations  fundamentals,  the 
information  environment  and  cyberspace’s  role  in  it,  as  well  as  the  levels  of  warfare.  Finally, 
the  paper  contrasts  two  possible  models  for  cyberspace  C2  at  the  operational  level  of 
command,  and  provides  recommendations  to  meet  cyberspace  challenges. 


INTRODUCTION 


Fact  or  Fiction:  North  Publica  executes  Operation  EAGLE  HUMILIATION.^ 

Phase  I  -  Exploitation:  North  Publiea  (NP)  is  the  most  reeent  rogue  nation  added  to 
the  United  States’  Axis  of  Evil  list.  NP’s  eurrent  anti-Ameriean  operation  exeeutes  a  high- 
visibility  attaek  against  the  United  States  while  setting  up  al-Qaeda  (AQ)  for  retribution.  Eor 
over  eight  months,  NP  earned  out  eyber  exploitation  against  a  utility  eompany  in  Guam 
while  a  small  Speeial  Eorees  (SE)  unit  exereised  assoeiated  urban  terrorist  taeties.  The  eyber 
exploitation  was  targeted  against  a  utility  eompany  (Quality  Eleetrie-QE)  providing  power  to 
the  island. 

QE  believed  they  had  a  seeure  network;  the  power  plant’s  eomputer  system  was  — a 
gapped”  from  the  internet.  However,  QE  eonneeted  their  internal  administrative  network  to 
the  plant’s  supervisory  eontrol  and  data  aequisition  (SC  AD  A)  system  for  direet  real-time 
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aeeess  to  improve  business  effieieney  and  effeetiveness.  Through  human  intelligenee,  NP 
determined  the  QE  operation’s  manager  was  a  Pittsburgh  Steelers  Pan  and  visited  various 
football  internet  sites.  Through  a  series  of  soeial  engineering  teehniques,  NP  operatives 
befriended  the  manager  on-line.  The  NP  team  exehanged  stories  and  later  video  elips. 

When  the  QE  exeeutive  viewed  the  video,  it  downloaded  to  his  hard  drive,  and  when  his 
desktop  seareh  program  indexed  the  file,  a  Trojan  horse  exeeuted."^  The  exploitation  program 
searehed  his  hard  drive  for  information  on  aeeess  to  the  SCADA  system  and  sent  vital  data 
baek  to  NP  through  a  safe  -dead-drop”  email  loeation.  Within  a  very  short  time,  NP 
established  an  administrator-level  aeeount  on  the  QE  network.  Over  several  months,  NP 
mapped  the  network  to  establish  a  topography  to  understand  the  network  nodes  and 
vulnerabilities.  NP  also  sueeeeded  in  gaining  needed  aeeess  to  the  SCADA  system. 
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Phase  II  -  Cyber  Execution:  On  26  November,  NP  executed  its  well-planned 
operation.  The  first  step  was  to  shutdown  power  to  the  tourist  area  near  Turnon  Beach.  To 
help  conceal  its  identity,  NP  cyber  warriors  used  anonymizer  techniques.  In  this  case,  they 
used  onion  routing  to  disguise  the  source  of  the  remote  cyberattack.  ^  NP  routed  the 
command  to  disrupt  the  QE  SCADA  through  a  number  of  countries  to  include  Australia, 
Erance,  Russia,  Indonesia,  and  finally  the  United  States.  The  final  command  would  look  like 
it  came  from  a  location  in  California  and  would  leave  pointers  back  through  routers  to  a 
known  AQ  operating  location  in  Southeast  Asia.  Additionally,  the  NP  backed”  an  AQ 
website  and  posted  a  statement  claiming  AQ  was  responsible  for  the  Guam  attacks. 

The  direct  effect  of  the  cyberattack  was  to  activate  a  pre -positioned  program  in  the 
company’s  computer  to  disrupt  normal  operations.  The  indirect  effect  was  to  interrupt  the 
electric  power  for  the  northwest  portion  of  Guam.  However,  an  unintended  effect  was  to 
cycle  power  switchgear,  which  overheated  several  generator  system  processors.  The 
generators  then  shutdown  and  caused  a  blackout  throughout  the  island  including  several 
hospitals.  NP  leaders  understood  cyber  operations  would  have  both  intended  and  unintended 
consequences.^  Although  the  NP  leaders  did  not  plan  for  these  unintended  outages,  it  played 
into  their  larger  information  operation  to  terrorize  and  humiliate  the  United  States. 

Phase  III  -  Urban  Operations:  The  NP  SE  kicked  off  their  urban  terrorist  operations  as 
soon  as  the  lights  went  black  in  the  Turnon  Bay  tourist  district.  The  plan  called  for 
traditional  terrorist  and  kinetic  operations,  but  the  team  employed  cutting-edge  technology 
and  cyberspace  operations  to  execute  the  mission.’  The  SE  initially  used  the  internet  and 
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Google  Earth  maps  to  survey  the  area  and  determine  target  sets.  The  10  NP  terrorists 
carried  AK-47s  and  knapsacks  loaded  with  explosives  and  plastic  bags  filled  with  food. 
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amphetamines,  and  grenades.^  They  split-up  and  went  after  several  high-value  targets  to 
include  a  prominent  five-star  hotel.  Each  of  the  SF  units  communicated  with  their  NP 
handlers  in  real-time  by  satellite  phones.  At  the  hotel,  they  used  their  phones  and  Voice  over 
Internet  Protocol  (VoIP)  to  discuss  operations  and  relay  victim  information  with  the  NP 
command  center.  In  real-time,  center  personnel  would  then  use  the  internet  to  verify  victim 
identification  and  pass  further  instructions.^^  As  siege  at  the  hotel  continued,  the  handlers 
even  provided  updates  to  the  terrorists  based  on  information  they  received  over  international 
news  broadcasts  such  as  CNN.  After  60  hours  and  172  dead,  the  local  police  captured  one 
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and  killed  nine  of  the  terrorists. 

The  above  North  Publica  scenario  is  both  fact  and  fiction.  North  Publica  is,  of 
course,  fictional  but  it  could  be  any  number  of  nation  states  or  terrorist/criminal  groups. 
Additionally,  Phase  I  and  II  of  Operation  EAGLE  HUMILIATION  were  fictional.  However, 
a  relatively  sophisticated  group  of  cyber  warriors  could  execute  the  underlying  technologies 
and  possibly  a  similar  mission.  Phase  III  is  fact;  this  operation  was  carried  out  over  several 
days  by  the  Lashkar-e-Taibi  (LeT)  terrorist  group  in  November  2008  in  Mumbai,  India. 

The  scenario  highlights  just  a  few  of  the  complex  issues  facing  Department  of  Defense 
(DOD)  senior  leaders  as  they  develop  cyberspace  doctrine,  organizations,  and  processes. 

The  2006  National  Military  Strategy  for  Cyberspace  Operations  (NMS-CO)  states,  ^he 
United  States  operates  in  a  global  environment  characterized  by  interdependence, 
uncertainty,  complexity,  and  continual  change. This  is  especially  true  for  cyberspace 
where  the  military  went  from  stand-alone  computers  processing  administrative  actions  to  net- 
centric  weapon  system  platforms  accomplishing  crucial  missions  and  the  standup  of  a  Sub- 
Unified  Command  to  oversee  a  new  domain  in  less  than  two  decades.  The  DOD  is  now  -all 
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in”  across  the  Range  of  Military  Operations  (ROMO)  when  it  comes  to  Computer  Network 
Operations  (CNO).^^ 

The  DOD  made  considerable  progress  in  its  initial  efforts  to  address  operations  in  the 
domain  of  eyberspaee.  However,  the  DOD  continues  to  struggle  in  developing  the  proper 
doetrine,  organizations,  and  proeesses  to  exeeute  the  eomplex  eyberspaee  mission.  Current 
doetrine  has  not  kept  pace  with  the  technologieal  and  intellectual  advancements  of 
cyberspace.  Furthermore,  organizations  continue  to  change  and  adapt  to  the  eyberspaee 
environment.  The  standup  of  United  States  Cyber  Command  (USCYBERCOM)  in 
September  2009  was  a  signifieant  milestone  in  cyberspace  command  and  control  (C2). 

Due  to  the  unique  domain  of  cyberspace,  the  sub-unified  commander  should  execute 
operational  C2  of  eyber  forces  under  a  Joint  Functional  Component  Command  for  Cyber 
(JFCC-Cyber)  model  versus  a  Joint  Foree  Commander  (JFC)  exeeuting  through  a  Joint  Force 
Cyberspace  Component  Commander  (JFCCC).  Using  the  NP  scenario  as  a  backdrop,  this 
paper  examines  some  of  the  challenges  operational  commanders  face  that  drive  cyberspace 
C2.  It  will  diseuss  current  doetrine  diseonneets,  CNO  fundamentals,  the  information 
environment  and  cyberspace’s  role  in  it,  as  well  as  the  levels  of  warfare.  The  paper  finally 
contrasts  two  possible  models  (noted  above)  for  eyberspaee  C2  at  the  operational  level  of 
command,  and  provides  reeommendations  to  meet  cyberspace  challenges. 

DOCTRINE  DISCONNECTS 

Current  DOD  cyberspace  doctrine  is  in  its  infaney.  Much  of  the  doetrine  is  based  on 
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CNO’s  place  within  the  larger  framework  of  Information  Operations  (10).  However,  cyber 
doetrine  is  adapting  and  growing.  Influential  documents  such  as  the  2009  DOD  Quadrennial 
Roles  and  Missions  Review  Report  (QRM)  and  2006  NMS-CO  provide  insight  beyond  the 
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Chairman  of  the  Joint  Chiefs  of  Staff  (CJCS),  Joint  Publieation  3-13,  Information 
Operations.  Furthermore,  computer  systems  are  now  pervasive  throughout  DOD  mission 
areas.  As  network  technology  advances  and  CNO  expands,  new  vulnerabilities  and 
opportunities  arise. 

General  James  Cartwright,  as  the  Acting  CJCS,  published  a  new  definition  of 
cyberspace  operations  on  18  August  2009.  He  states,  cyberspace  operations  are  -the 
employment  of  cyber  capabilities  where  the  primary  purpose  is  to  achieve  objectives  in  or 
through  cyberspace.  Such  operations  include  computer  network  operations  and  activities  to 
operate  and  defend  the  Global  Information  Grid.”  The  CJCS  description  builds  on  the 
definition  of  cyberspace  in  the  2009  QRM.  The  QRM  describes  -e-yberspace  as  a  global 
domain  within  the  information  environment  consisting  of  the  interdependent  network  of 
information  technology  infrastructures,  including  the  Internet,  telecommunications  networks, 
computer  systems,  and  embedded  processors  and  controllers.”  The  report’s  definition 
establishes  a  clear  and  general  understanding  of  cyberspace’s  composition.  The  two 
combined  definitions  provide  foundational  insight  into  the  current  definition  of  CNO  and  set 
the  stage  to  discuss  doctrine  disconnects. 

22 

Current  Joint  Doctrine  characterizes  CNO  as  one  of  the  five  core  capabilities  of  10. 
CNO  is  lumped  together  with  the  disparate  areas  of  Psychological  Operations,  Military 
Deception,  Operations  Security,  and  Electronic  Warfare  due  to  commonalities  in  the 
information  environment.  The  doctrine  suggests  the  ultimate  objective  of  each  core  10 
area  is  to  influence  a  decision  maker  to  act  (or  not  act)  in  a  specific  manner.  However, 
General  Alexander,  the  new  USCYBERCOM  commander,  noted,  -the  principal  effect  of 
cyber  warfare  is  to  deny  the  enemy  freedom  of  action  in  cyberspace.  Granted,  by  denying 
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enemies’  freedom  of  notion  in  oyberspaoe,  we  will  also  influenoe  them;  however,  influenoe  is 
not  the  intended  primary  effeot — denying  freedom  of  notion  is  the  primary  effeot.”  This 
dootrinally  separates  oyber  operations  from  the  other  10  oapabilities.  Furthermore, 
oyberspaoe’s  growth  has  positioned  it  in  a  plaoe  of  preeminenoe  as  oompared  to  its  brother 
10  oore  oapabilities. 

CNO  FUNDAMENTALS 

Joint  dootrine  breaks  CNO  into  three  distinot  military  operational  areas:  Computer 
Network  Attack  (CNA),  Computer  Network  Exploitation  (CNE),  and  Computer  Network 
Defense  (CND).  Joint  Pub  3-13  defines  CNA  as  -actions  taken  through  the  use  of 
computer  networks  to  disrupt,  deny,  degrade,  or  destroy  information  resident  in  computers 
and  computer  networks,  or  the  computers  and  networks  themselves.”  CNA  can  also  be 
described  in  a  broader  concept  of  cyberattack.  Cyberattack  alters,  disrupts,  deceives, 
degrades,  or  destroys  an  adversary’s  computer  system  or  network  or  information  and/or 
programs  resident  in  or  transiting  the  systems  or  networks.  More  specifically,  the  NMS- 
CO  describes  cyberattack  operations  as,  ^OD  will  execute  the  full  ROMO  in  and  through 
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cyberspace  to  defeat,  dissuade,  and  deter  threats  against  US  interests.” 

One  should  view  CNE  as  an  enabling  capability  of  CNA;  a  cyber  warrior  will  likely  be 
in  a  position  to  exploit  first  and  then  potentially  attack.  Current  doctrine  describes  CNE  as 
-enabling  operations  and  intelligence  collection  capabilities  conducted  through  the  use  of 
computer  networks  to  gather  data  from  target  or  adversary  automated  information  systems  or 
networks.”  Again,  CNE  may  be  addressed  in  a  broader  context  as  cyberexploitation. 
Cyberexploitation  supports  the  -goals  and  missions  of  the  party  conducting  the  exploitation, 
usually  for  the  purpose  of  obtaining  information  resident  on  or  transiting  through  an 
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adversary’s  computer  systems  or  networks.  Cyberexploitations  do  not  seek  to  disturb  the 
normal  functioning  of  a  computer  system  or  network  from  the  user’s  point  of  view — indeed, 
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the  best  cyberexploitation  is  one  that  such  a  user  never  notices.”  Additionally,  the 
timeframe  for  cyberexploitation  is  substantial,  usually  measured  in  weeks  or  months. 

Finally,  the  NMS-CO  puts  it  in  military  specific  terms  by  stating,  ^OD  will  use  network 
exploitation  to  gather  intelligence  and  shape  the  cyberspace  environment  as  necessary  to 
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provide  integrated  offensive  and  defensive  operations.” 

There  is  a  clear  link  between  attack  and  exploitation,  but  the  relationship  can  be 
complex.  CNE  is  usually  the  first  step  needed  for  CNA.  CNA  and  CNE  are  not,  however, 
mutually  exclusive  options — destroy  the  computer/network  or  exploit  it.  In  fact,  destroying 
the  computer/network  ^nay  also  reveal  to  the  adversary  some  vulnerability  or  access  path 
previously  unknown  to  him,  and  thus  compromise  friendly  sources  and  methods. The 
transition  between  the  two  can  be  smooth.  Eor  example,  a  CNE  tool  could  have  imbedded 
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CNA  capabilities  for  possible  later  execution.  On  16  September  2009,  RDME  William 
Eeigher  discussed  an  operational  CNE/CNA  process  model  at  the  Naval  War  College. 

36 

Eigure  1  in  appendix  A  depicts  an  author  enhanced  CNE/CNA  process  based  on  the  lecture. 

Although  CND  is  a  critical  element  of  cyberspace  operations,  it  is  beyond  the  focus  of 
this  research.  In  this  context,  one  should  understand  CND’s  role  as  the  third  leg  of  the  CNO 
stool.  Joint  Pub  3-13  defines  CND  as  — otions  taken  through  the  use  of  computer  networks 
to  protect,  monitor,  analyze,  detect,  and  respond  to  unauthorized  activity  within  DOD 
information  systems  and  computer  networks.”  CND  can  be  either  active  or  passive 
defense.  In  some  cases,  active  defense  could  mean  using  CNA  to  defensively  eliminate 
threats.  Eor  example,  if  the  DOD  confirmed  it  was  the  target  of  a  cyberattack,  the  DOD 
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could  (hypothetically)  execute  a  botnet  eounterattaek  employing  distributed  denial  of  serviee 
(DDOS)  at  the  threat.^^ 

The  NP  eyber  warriors  understood  the  fundamentals  of  CNE  and  CNA.  They  expertly 
employed  soeial  engineering  and  then  eyberexploitation  to  map  QE’s  network  topology. 
When  the  time  eame,  they  exeeuted  a  relatively  sophistieated  eyberattaek  that  eovered  their 
eleetronie  traeks.  They  also  elearly  understood  eyberattaek  eould  be  espeeially  effeetive 
when  used  in  eonjunction  with  kinetic  attacks  or  other  operations.  Einally,  the  terrorists 
understood  they  eould  meet  their  strategie  10  goals  with  a  series  of  taetical  aotions."^*^  They 
foeused  on  all  three  aspeets  of  the  information  environment. 

INFORMATION  ENVIRONMENT  AND  CYBERSPACE’S  ROLE 

It  is  important  to  understand  the  information  environment  and  eyberspaee’s  role 

within  it  when  examining  possible  C2  eonstructs.  Even  though  eyberspaee  is  diseonneeted 

from  the  other  10  eore  eapabilities,  it  still  shares  the  same  attributes  of  the  information 

environment.  Joint  Pub  3-13  describes  the  information  environment  as: 

The  aggregate  of  individuals,  organizations,  and  systems  that  eolleet, 
proeess,  disseminate,  or  act  on  information.  The  aetors  include  leaders, 
decision  makers,  individuals,  and  organizations.  Resourees  inelude  the 
materials  and  systems  employed  to  eolleet,  analyze,  apply,  or  disseminate 
information... where  humans  and  automated  systems  observe,  orient, 
decide,  and  act  upon  information. .  .it  resides  within  eaeh  of  the  four 
domains.  The  information  environment  is  made  up  of  three  interrelated 
dimensions:  physieal,  informational,  and  eognitive."^' 

The  physieal  dimension  of  the  information  environment  contains  cyber  hardware  and 

infrastrueture.  It  ineludes  items  sueh  as  C2  systems  and  networks,  eomputers  and 

eommunieations  systems,  and  the  related  infrastructure."^^  The  information  dimension 

eontains  information  that  is  proeessed,  stored,  disseminated,  displayed,  and  proteeted;  all  of 

whieh  are  important  functions  that  take  place  within  eyberspaee. The  eognitive  dimension 
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encompasses  the  mind  of  the  target  audience  and  is  where  people  think,  perceive,  visualize, 
and  decide. Again,  influencing  a  target  audience  within  the  cognitive  dimension  could  be  a 
critical  indirect  effect  of  a  cyberattack.  The  links  to  10  are  strong,  but  cyberspace  is  a 
domain  unlike  the  other  10  core  capabilities. 

The  debate  concerning  cyberspace  being  a  domain  is  essentially  over."^^  General 
Chilton,  Commander  of  United  States  Strategic  Command  (USSTRATCOM)  unequivocally 
stated,  -e-yberspace  has  emerged  as  a  global  war-fighting  domain — a  domain  that  is  as  critical 
to  ensuring  our  national  security  as  its  companion  domains  of  land,  space,  sea,  and  air.”"^^ 
General  Alexander  advocated  cyberspace  cross-domain  integration  when  he  stated,  -When 
we  conduct  any  military  operation,  we  must  integrate  and  synchronize  all  available 
instruments  of  warfare  in  all  domains. 

However,  the  intellectual  transition  of  cyberspace  from  a  function  to  a  domain 
remains  a  challenge  for  some  planners  and  leaders.  These  misguided  warriors  want  to 
continue  to  treat  cyberspace  as  a  disparate  set  of  missions  or  functional  areas  to  be  spread 

48 

across  the  services  and  DOD  agencies.  Former  Secretary  of  the  Air  Force,  Michael  Wynne, 
summed  up  the  debate  best  when  he  stated,  ^he  cyber  realm  embodies  far  more  than  just 
network  warfare.  Cyberspace  is  a  domain,  like  land,  where  each  of  the  principles  of  war 
applies.  To  grasp  this  concept  requires  a  major  institutional  and  cultural  shift  in  war  planning 
and  operations. 

The  NP  cyber  warriors  integrated  and  synchronized  their  cyber  and  SF  operations  to 
bring  about  strategic  level  effects.  The  bold  Mumbai  attacks,  broadcast  on  international 
television,  had  global  ramifications.  Simply  executing  the  tactical  blackout  operations  would 
have  had  similar  strategic  impacts.  However,  the  blackout  attacks  alone  may  have  had 
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diminished  cognitive  impacts  on  the  target  audience  (American  population).  The  terrorists 
understood  how  CNO  transcends  the  levels  of  warfare  from  tactical  to  strategic. 

LEVELS  OF  WAR 

Comprehending  the  levels  of  war  and  how  cyberspace  transcends  them  is  essential  to 
building  an  effective  C2  construct.  Dr.  Milan  Vego  links  the  three  levels  of  war— tactical, 
operational,  and  strategic— to  the  scale  and  complexity  of  the  objective  to  be  accomplished.^'^ 
He  explains,  ^  a  physical  sense,  there  are,  of  course,  no  Hevels,”  but  only  different  sizes  of 
physical  space  and  mediums  (land,  sea,  air/space)  in  which  friendly  and  enemy  forces 
operate. Cyberspace,  however,  is  not  restricted  by  the  same  physical  boundaries  as  the 
domains  of  land,  sea,  air,  or  space. These  differences  require  a  unique  mindset.  The  types 
of  weapons  and  access  to  them  also  support  that  the  cyberspace  domain  must  be  treated 
differently. 

The  barriers  to  entry  for  CNO  are  minimal.  Many  of  the  -technologies  are  inexpensive 
and  easily  available  to  non-state  actors,  including  individuals,  and  these  technologies  include 
some  that  are  as  capable  of  doing  great  harm  as  those  available  to  governments.”  In  the 
domain  of  cyberspace,  a  weapon  of  mass  destruction  may  be  a  single  hacker’s  computer 
controlling  a  million-plus  computer  botnet.  Furthermore,  the  technical  expertise  to  execute 
cyberattacks  effectively  is  prevalent.^"'  With  a  small  investment,  hackers  have  caused 
millions  of  dollars  of  damage  and  operational/strategic  effects. 

Cyberattacks  are  much  like  the  United  States  Marine  Corps’  concept  of  the  -strategic 
corporal. A  Marine  in  the  field  at  the  tactical  level  can  have  strategic  effects,  especially  in 
a  counterinsurgency  operation.  Dr.  Vego  addresses  this  concept  when  he  notes,  -All  of  the 
levels  of  war  are  interrelated;  actions  and  activities  at  each  level  affect  the  other 
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levels... decisions  made  at  the  tactical  level  have  considerable  and  sometimes  significant 
impact  on  events  at  the  operational  and  even  strategic  levels  of  war.  Sometimes  tactical 
events  cause  a  significant  ripple  effect  at  the  operational  and  strategic  levels  of  war.”^^ 

Furthermore,  the  United  States  reliance  on  cyberspace  provides  an  enemy  cyber  warrior 
opportunity  to  attack  at  the  operational  or  strategic  level.  As  in  the  NP  scenario,  a  tactical 
attack  can  have  strategic  effects  when  targeted  against  high-value  infrastructure  targets.  This 
reliance  on  cyberspace  drove  senior  government  leaders  to  adopt  a  new  organization  to 
oversee  the  domain. 

ESTABLISHMENT  OF  USCYBERCOM 

Today,  almost  every  facet  of  American  society  relies  on  cyberspace.  For  the 
military,  cyberspace  became  critical  to  execute  C2,  intelligence,  communications,  planning, 
and  mission  operations. Additionally,  our  dependence  on  cyberspace  and  net-centric 
activities  continue  to  grow  at  a  rapid  rate.^^  Out  of  this  setting  came  the  birth  of 
USCYBERCOM. 

On  23  June  2009,  Secretary  of  Defense  Gates  signed  a  memo  establishing  a 
Subordinate  Unified  USCYBERCOM  under  USSTRATCOM  to  execute  military  cyberspace 
operations.  He  addresses  the  critical  need  by  stating,  -e-ur  increasing  dependency  on 
cyberspace,  alongside  a  growing  array  of  cyber  threats  and  vulnerabilities,  adds  a  new 
element  of  risk  to  our  national  security.  To  address  this  risk  effectively  and  to  secure 
freedom  of  action  in  cyberspace,  the  DOD  requires  a  command  that  possesses  the  required 
technical  capability  and  remains  focused  on  the  integration  of  cyberspace  operations.” 

The  new  organization  pulls  together  offensive  and  defensive  cyber  expertise  across 
the  DOD.  The  direction  disestablishes  the  Joint  Task  Eorce-Global  Network  Operations  and 
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Joint  Functional  Component  Command-Network  Warfare  and  reestablishes  the  funetions  at 
USCYBERCOM  no  later  than  Oetober  2010.^"^  It  also  direets  the  CJCS  to  develop  an 
implementation  plan  to  delineate  ^nission,  roles  and  responsibilities,  eommand  and  eontrol, 
reporting  and  support  relationships  with  eombatant  eommands,  Serviees,  and  U.S. 
Government  departments  and  ageneies.”^^  Developing  and  exeeuting  an  effeetive  C2 
eonstruet  is  eritieal  due  to  the  unique  eharaeteristies  of  the  eyberspaee  domain. 

OPERATIONAL  C2 

The  NP  seenario  provided  basie  insight  into  the  eomplex  variables  assoeiated  with 
CNO  C2.  From  mission  planning,  exeeution  of  exploitation  and  attaek,  to  determining 
attribution,  an  operational  eommander  must  fully  eomprehend  the  eyberspaee  domain.  The 
eommander  also  requires  integration  of  organizations,  eapabilities,  funetions,  teehnologies, 
and  missions  to  aehieve  the  desired  effeets  in  and  through  eyberspaee. 

Against  the  NMS-CO  baekdrop  and  the  standup  of  USCYBERCOM,  the  paper  will 
now  examine  two  new  models  for  eyberspaee  C2.  The  first  model  is  plaeing  a  Joint  Eoree 
Cyberspaee  Component  Commander  (JECCC),  mueh  like  a  Joint  Eoree  Air  Component 
Commander  (JEACC),  under  a  Joint  Eoree  Commander  (JEC).  Air  Eoree  doetrine  notes 
that  a  JEACC  Reused  on  the  broader  aspeets  of  an  operation,  ean  best  mediate  the 
eompeting  demands  for  taetieal  support  against  the  strategie  and  operational  requirements  of 
the  eonfiiet.”  The  JECCC  would  aet  in  a  similar  manner  for  eyberspaee  operations  and 
would  be  loeated  at  the  JEC  headquarters. 

The  seeond  model  is  a  Joint  Eunetional  Component  Command  for  Cyber  (JECC- 
Cyber)  similar  to  the  eurrent  JECC-SPACE.  The  -JFCC-SPACE  eontinuously  eoordinates, 
plans,  integrates,  eommands  and  eontrols  spaee  operations  to  provide  tailored,  responsive. 
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local  and  global  effects,  and  on  order,  denies  the  enemy  the  same,  in  support  of  national, 
USSTRATCOM  and  combatant  commander  objectives. Furthermore,  the  Commander, 
JFCC-SPACE  using  the  capabilities  inherent  in  the  Joint  Space  Operations  Center  (JSpOC) 
-serves  as  the  single  point  of  eontaet  for  military  space  operational  matters  to  plan,  task, 
direet,  assess,  and  exeeute  spaee  operations. In  this  ease,  the  JFCC-Cyber  and  an 
assoeiated  Joint  Cyber  Operations  Center  (JCyOC)  would  be  loeated  at  USCYBERCOM. 

The  two  models  each  have  strengths  and  weaknesses  for  executing  CNO.  Although 
an  operational  commander  has  many  cyberspace  C2  requirements,  this  paper  will  eompare 
and  eontrast  the  models  against  only  five  key  requirements — specialized  knowledge, 
coordination,  time,  attribution  determination,  and  operational  vision.  Eaeh  of  the  models  will 
be  rated  as  high,  medium,  or  low  on  how  well  it  meets  the  requirement. 

As  deseribed  in  the  NP  scenario,  CNO  is  very  complex  to  plan  and  execute. 
Cyberattacks  -ean  involve  a  much  larger  range  of  options  than  most  military  operations,  and 
because  they  are  fundamentally  about  an  attaek’s  seeondary  and  tertiary  effeets,  there  are 
many  more  possible  outcome  paths  whose  analysis  often  requires  highly  speeialized 
knowledge. Additionally,  the  CNO  planning  effort  may  require  -enormous  amounts  of 
intellectual  coordination  among  different  individuals.”  Due  to  a  JEC’s  limited  foree 
structure,  a  JECCC  would  likely  have  a  small  staff  with  limited  dedicated  eyber-knowledge 
resources.  Executing  a  cyberattack  without  fully  comprehending  the  many  possible  effects 
could  have  devastating  strategic  impacts.  The  JECCC  would  need  reaeh-back  capability  to 
meet  his  specialized  knowledge  requirement,  whieh  could  impact  operational  timing  (see 
below).  Using  the  JCyOC  and  resident  National  Security  Agency  assets,  the  JECC-Cyber 
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would  have  a  robust  base  of  eyber  knowledge  to  tap.  Capability  rating:  JFCCC,  low;  JFCC- 
Cyber,  high. 

The  NMS-CO  noted  that  CNO  requires  a  great  level  of  coordination  and 
synchronization.  Partnerships  and  strong  relationships  are  necessary  not  only  between 
DOD  organizations,  but  also  within  the  United  States  Government,  the  private  sector,  and 
allied  nations. Specifically  within  the  government,  partnerships  are  needed  with  the 
^telligence  Community,  Department  of  Justice,  Department  of  Homeland  Security,  and 
other  Federal  departments.”^^  At  the  JFCCC,  manpower  constraints  may  negate  having  a 
large  organization  with  multiple  liaisons  from  across  this  wide  spectrum  of  organizations.  It 
may  be  possible  to  pull  together  the  full  team  at  one  JFC  staff,  but  to  replicate  this  across 
theaters  or  Geographic  Combatant  Commands  (GCC)  would  be  near  impossible.  The 
JFCCC  would  need  to  use  reach-back  for  coordination.  The  JFCC-Cyber’s  organization  (and 
JCyOC)  is  built  upon  having  all  the  required  organizations  participate  as  part  of  its  daily 
operational  routine.  Its  cross-cutting  team  should  be  staffed  and  equipped  to  address  issues 
from  the  multiple  entities.  Capability  rating:  JFCCC,  medium;  JFCC-Cyber,  high. 

Time  is  a  significant  issue  when  executing  all  three  legs  of  the  CNO  stool.  In  fact, 

lf\ 

-the  time  scales  on  which  cyberattacks  operate  can  range  from  tenth  of  a  second  to  years.” 
The  NP  scenario  highlights  that  a  cyberexploitation  operation  could  take  months  to  establish 
and  could  then  be  active  for  weeks,  months,  or  years.  Additionally,  reaction  time  for  CND  is 
a  concern.  If  the  attacking  computer  cuts  the  transmission  path  or  goes  dark  before  it  is 
traced,  the  opportunity  for  counter-attack  may  be  difficult  or  impossible. The  organization 
must  be  flexible  and  adapt  to  the  factor  of  time.  The  time  requirement  also  links  back  to  the 
organization  having  the  wherewithal  and  expertise  to  react  to  each  CNO  area.  In  either 
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model,  a  JFC  must  provide  eyber  mission  requirements  with  long-lead  time  as  soon  as 
possible  to  the  planning  proeess.  The  JFCC  will  not  have  in-house  capabilities  to  execute 
either  the  CNF  or  CNA  mission.^^  The  JFCC-Cyber  may  have  limited  in-house  CNE/CNA 
capabilities  in  the  JCyOC,  but  would  have  operational  and  tactical  control  of  component 
units  accomplishing  the  missions.  This  relationship  should  provide  greater  insight  and 
reaction  speed.  Capability  rating:  JFCCC,  low;  JFCC-Cyber,  medium. 

Attribution  is  the  process  of  trying  to  identify  the  party  responsible  for  a 
cyberattack. Proper  attribution  must  be  accomplished  prior  to  any  consideration  of 
retribution.  Again,  the  relationship  between  cyberexploitation  and  cyberattack  is  very 
complex — one  could  easily  perceive  exploitation  as  attack.  The  NP  case  provides  several 
^K)oks”  for  the  DOD  to  grab  during  the  attribution  process.  A  few  of  the  attribution 
questions  (as  discussed  by  Owens,  et  al)  an  operational  commander  must  consider  are  in 
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appendix  A,  Table  1 .  Both  C2  constructs  will  be  challenged  to  quickly  and  effectively 
meet  the  attribution  determination  requirement.  The  specialized  resources  of  the  JCyOC 
should  provide  an  advantage  over  the  JFCCC ’s  operations  center  in-house  assets.  The  -a-11- 
source”  capabilities  in  the  JCyOC  are  built  upon  the  partnerships  noted  above.  Capability 
rating:  JFCCC,  low;  JFCC-Cyber,  medium. 

Finally,  any  operational  cyber  C2  construct  should  contribute  to  the  commander’s 
operational  vision.  Understanding  what  is  happening  within  the  domain  and  possible  effects 
on  operations  is  critical.  Having  a  solid  operational  awareness  also  provides  insight  and 
clarity  to  the  requirements  of  coordination,  time,  and  attribution.  Because  there  are  no 
geographic  lines  or  boundaries  to  cyberspace,  a  JFCCC  focusing  on  a  specific  theater  or  area 
of  operations  will  likely  have  a  more  restricted  site  picture.  Reach-back  capability  will 
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greatly  support  the  effort,  but  subtle  conneetions  between  eyber  events  eould  be  missed. 
Issues  with  highly-classified  and  compartmented  CNO  operations  may  also  limit  some 
knowledge.  A  primary  objective  of  the  JCyOC  is  to  provide  JFCC-Cyber  with  operational 
details  of  missions  across  the  domain  (and  globe).  Capability  rating:  JFCCC,  medium; 
JFCC-Cyber,  high. 

Based  on  a  comparison  of  results  (appendix  A,  Table  2),  the  JFCC-Cyber  model 
outperforms  the  JFCCC  model.  However,  each  cyber  C2  construct  still  has  weaknesses  that 
will  challenge  an  operational  commander.  By  centralizing  the  command  and  control  of 
cyberspace,  the  JFCC-Cyber  model  better  harnesses  the  capabilities  of  this  unique  domain. 

RECOMMENDATIONS/CONCLUSIONS 

This  essay  began  with  a  fictional  adaptation  of  a  real  world  terrorist  incident.  The  LeT 
leveraged  cyberspace  throughout  their  devastating  2008  Mumbai  rampage.  The  scenario 
highlighted  complex  issues  facing  DOD  leaders  as  they  develop  cyberspace  doctrine, 
organizations,  and  processes  across  the  ROMO.  The  2009  QRM  stated  Experience  from 
recent  operations  and  global  cyberspace  incidents  underscore  the  critical  role  cyberspace 
capabilities  play  in  preventing  conflict  when  possible,  and  supporting  full-spectrum  military 
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operations  when  necessary.”  To  meet  the  challenge,  DOD  and  USCYBERCOM  should 
adopt  the  below  recommendations. 

The  standup  of  USCYBERCOM  in  September  2009  was  a  significant  DOD  cyberspace 
milestone.  The  CJCS  must  now  develop  a  plan  to  delineate  ^nission,  roles  and 
responsibilities,  command  and  control,  reporting  and  support  relationships...”  for  a  full 
operating  capability  not  later  than  October  2010.  Although  the  operational  C2  construct  of 
a  JECC-Cyber  is  more  effective  than  a  JECCC,  the  JECC-Cyber  model  is  unlikely  to  be 
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integrated  into  the  on-going  USCYBERCOM  C2  plan.  The  sub-unified  commander  will  not 
want  to  add  additional  layers  of  organizational  bureaucracy.  However,  USCYBERCOM  can 
learn  valuable  lessons  from  the  highly  successful  JECC-SPACE  construct.  The  standup  of 
the  JSpOC  and  its  partnerships  provide  an  opportunity  to  gain  vital  insight.  USCYBERCOM 
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should  take  advantage  of  JECC-SPACE  lessons  learned  from  space’s  last  decade  of  growth. 

The  second  recommendation  is  to  create  dedicated  cyberspace  doctrine  versus  using  the 
current  embedded  10  doctrine.  General  Alexander  noted,  -while  we  have  ample  national 
level  strategies,  we  have  yet  to  translate  these  strategies  into  operational  art  through 
development  of  joint  doctrine  for  cyberspace.”  Joint  level  doctrine  will  provide 
foundational  guidance  for  all  Services  and  DOD  agencies  to  build  upon. 

Einally,  two  cyberspace  topics  require  additional  research  to  enhance  cyber  processes 
and  organizations.  Eirst,  a  paper  should  focus  on  why  a  C2  construct  must  fully  take  into 
account  the  JEC’s  requirements.  The  JEC  is  the  ultimate  customer  and  should  have  the  final 
input  on  any  CNO  in  their  area  of  responsibility.  Eurthermore,  a  second  paper  should 
address  USCYBERCOM  wargaming  and  why  it  is  vital  for  organizational  TTPs.  The 
wargames  should  include  joint,  interagency,  and  allied  partners  in  full-play  events.  As  seen 
in  the  NP  scenario,  the  intellectual  heavy-lifting  and  coordination  between  organizations 
must  be  addressed  before  the  time-critical  event  occurs. 

The  DOD  must  take  these  actions  now  to  meet  the  ever-expanding  domain  of 
cyberspace.  Our  adversaries,  whether  nation  states,  terrorists,  or  international  criminal 
groups,  have  adopted  cyber  operations  as  part  of  their  asymmetric  tactics  against  the  United 
States.  — Or  national  security  is  inextricably  linked  to  the  cyberspace  domain”  and  it  is  up  to 
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USCYBERCOM  to  lead  the  charge  to  gain  and  maintain  cyberspace  superiority. 
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Figure  1  —  CNE/CNA  Process 
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APPENDIX  A  (continued) 


Attribution  Questions: _ 

Was  the  cyberattack  actually  from  AQ? 

Do  the  tactics,  techniques,  and  procedures  (TTP)  match  past  AQ  attacks?  Does  it  match  AQ 
signature  traits? 

If  not  AQ,  does  the  signature  or  TTPs  match  another  known  adversary? 

Was  the  attack  launched  by  agents  of  the  NP  government  with  the  approval  of  the  NP 
national  command  authorities? 

Was  the  attack  launched  by  low-level  agents  of  the  NP  government  without  the  approval  or 
knowledge  of  the  NP  national  command  authorities? 

Was  the  attack  launched  by  NP  citizens  or  patriotic  hackers”?  What  action  did  the  NP 
government  take  to  stop  them? 

Were  the  NP  computers  controlled  from  an  outside  source  (botnet)?  Was  the  NP  government 
framed? 

Did  the  NP  government  -eontract”  out  the  attack  to  a  criminal  organization  to  maintain 
deniability? 

What  response,  if  any,  is  appropriate  against  U.S.  internet  providers/servers  (i.e.,  legal,  denial 
of  service,  etc)  during  and/or  after  the  cyberattack? 

Table  1  -  Cyberspace  Attribution  Questions 


JFCCC 

JFCC-Cyber 

Specialized  Knowledge 

Low 

High 

Coordination 

Medium 

High 

Time 

Low 

Medium 

Attribution  Determination 

Low 

Medium 

Contributes  to  Operational 

Vision 

Medium 

High 

Table  2  -  C2  Comparison  Matrix 
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